Hello All,
I am looking for some help on an issue with have two vpn networks.
my current system layout

I unable to route traffic from the VPN user on 10.8.0.34 to the Web server on the local lan 10.7.1.2.

The VPN server 10.8.0.1 can ping the 10.7.1.2 address fine but the user cannot.
I have tried everything and my brain is falling apart lol.

the PF.conf for the first bsd openvpn box (10.8.0.1)

Code:

#Variables
########################
ext_if="sis0" #Internet
srv_if="sis1" #Server link
drc_if="sis2" #DRAC link
vps_if="tun0" #VPN interface that runs as server (for user connection)
vpc_if="tun1" #VPN interface that runs as client (for server connection)
ovpn=1194
#Initial set up
########################
#set skip on lo
#scrub in
#Redirects & NAT
########################
#Redirect traffic over FSP VPN from FSP to the server
#rdr pass on $vps_if from any to any -> 192.168.1.2
#rdr pass on $vps_if from any to any -> 10.8.0.30
pass out on tun0 from 10.8.0.34/32 to any nat-to 10.9.0.5
#Direct traffic over the FAD VPN from the server to the FADs network
nat pass on $vpc_if from $vps_if:network to 10.8.254/0 -> $vpc_if
#Direct telnet over FAD connection to DRAC
#rdr pass on $vpc_if proto tcp from any to any port 23 -> 192.168.2.2
#RULES
########################
#block all
#External Interface
#Allow VPN connection in
pass in on $ext_if proto udp from any to any port $ovpn
#Allow SSH in from Evidence Talks
#pass in on $ext_if proto tcp from $et to any port ssh
pass in on $ext_if proto tcp from any to any port ssh
#Allow all out
pass out on $ext_if all
#Server Interface
pass on $srv_if all
#DRAC Interface
pass on $drc_if all
#VPN Server interface
pass on $vps_if all
#VPN client interface
pass on $vpc_if all

And now the pf.conf for the last bsd openvpn box (10.9.0.1)

Code:

## Configuration
#####################
#Interfaces
ext_if="em0" #Interface to internet
int_if="em1" #Internal inteface to network
#Ports
ovpn="1194"
rdp="3389"
#Port sets
allowed_web_server_ports="{" $rdp mysql "}"
#IPs
web_ip="10.7.1.2" #Web server IP
web_ports="{ http https }" #allowed ports on web server
RULES
########################
set skip on lo
#block all
# HTTP/S allowed and forwarded to web server
#Redirect HTTP/S to web server
pass in on $ext_if proto tcp from any to any port $web_ports rdr-to $web_ip
#Allow RDP and MySQL and redirect to web server - only From ETL
pass in on $ext_if proto tcp from $etl_source_ips to any port $allowed_web_server_ports rdr-to $web_ip
#NAT traffic from web server to internet
pass out on $int_if from $web_ip to any nat-to $ext_if
# Allow OpenVPN connections
pass in quick on $ext_if proto udp from any to any port $ovpn #VPN
# Allow ssh connections from Evidence Talks
pass in on $ext_if proto tcp from $etl_source_ips to any port ssh
#Allow all out
pass out on $ext_if all
#Internal Interface - allow anything
pass on $int_if all

If any one could shed some light on the issue i would be a very happy man

Last edited by J65nko; 28th January 2013 at 12:38 PM.
Reason: [code] and [/code] tags ;)

I'd like to help. Could you provide more info? This could be a routing issue, or this could be a packet forwarding issue, and I'd like to see if we can rule both out. If both of those possiblities are eliminated, it may be an OpenVPN configuration issue. I have not used OpenVPN in many, many years, so I won't be able to help with that. The VPNs I manage are either IPSec tunnels, or for some clients L2TP tunnels with IPSec transport (L2TP/IPSec).

You described that there is successful two-way interconnection between 10.8.0.1 and 10.7.1.2, but no success with 10.8.0.34 and 10.7.1.2.

I could see this as a routing problem, if 10.8.0.34 and 10.8.0.1 are on different subnets. You have not described your netmasks for your 10.8 addresses, so this is a possibility -- the 10.9 device would need to have a routing table entry added to route to the second 10.8 subnet.

I could see this as a packet forwarding problem, if you have not enabled the IPv4 packet forwarding sysctl on OpenBSD. This is easy to check; you would have edited /etc/sysctl.conf and uncommented the net.inet.ip.forwarding sysctl to set it to 1 on boot.

Last edited by jggimi; 28th January 2013 at 01:27 PM.
Reason: clarity, typo